Features and Benefits:

Software Defined Networking Application & DDoS Protection Services

Built as a native SDN application, Radware's DefenseFlow provides DDoS protection services and equips network operators with the following key advantages when adding DDoS protection into their infrastructure:

Unprecedented coverage against all type of network DDoS attacks

Best design for attack mitigation – attack detection is always performed out of path; during attack period only suspicious traffic is diverted through the mitigation device

Most scalable mitigation solution – DefensePro mitigation devices can be placed in any location, DefenseFlow diverts the traffic to the nearest mitigation device

Legacy DDoS protection services that make use of scrubbing centers are costly because they need hardware detectors in every network location, BGP for traffic diversion, and GRE tunnels to forward the traffic to its designated network object. With SDN, a DDoS protection solution turns into a software application that adds intelligence to the network. There is no need for additional hardware, BGP or GRE operations, which is a great cost reduction opportunity for operators.

Solution:

DefenseFlow uniquely addresses the new requirements by leveraging the programmable and dynamic nature of software defined networks and by employing adaptive security algorithms combining the following capabilities:

While alternative approaches require static provisioning of security systems throughout the network and sized according to the protected network capacity, DefenseFlow leverages the entire network combined with ondemand intelligence of network, application and APT recognition algorithms, by using only the exact amount of resources needed, at the optimal network location in order to identify and block various attacks at various sizes.

The solution operates using a continuous 4 stage service lifecycle:

Provision Security detection throughout the network by programming counters throughout the SDN nodes, by provisioning L4-7 Application Intelligence (AI) engines & by mirroring traffic to the L4-7 AI engines.

Collect information from the entire set of provisioned information sources.

Analyze network and application information in order to categorize behavioral patterns, maintain an ongoing behavioral baseline and identify any steep deviations from the baseline.

Control traffic and service elements by blocking traffic, diverting traffic to dedicated attack mitigation engines and optimizing security policies.

The solution is an evolution of the DefenseFlow Network Behavioral Analysis (NBA) solution, adding to it an Application Behavioral Analytics (ABA) Component as well as an Advanced Persistent Threat (APT) Detection Module. In order to formulate a consistent and actionable behavioral baseline, and identify deviations from this baseline at the application behavior and APT levels, several implementations of patented behavioral analysis mechanisms are used. These mechanisms define real-time application and network attack signatures most effective against modern zero-day attacks. Furthermore, the ability to scale intelligent application level attack detection engines on the fly and distribute traffic across these engines intelligently (leveraging SDN) is pending patent under the Radware ElasticScale network services framework.

The illustration outlines various capabilities of the DefenseFlow solution by showing the following elements:

User & Server networks, these are organizationally controlled assets under which the SDN is assumed to operate (fully or partially) for collecting traffic statistics, mirroring traffic to vDPI engines & blocking traffic.

Edge network through which all traffic in and out of the organization passes; this network section is assumed to be fully SDN capable and is responsible for collecting traffic statistics, mirroring traffic to vDPI engines, diverting Traffic to Attack Mitigation systems & blocking traffic.

The L4-7 Service fabric which is pictured as a single area, but can be distributed throughout the entire SDN as best suited to protect the network. The fabric consists of L4-7 systems such as DPI engines, attack mitigation systems etc. the DPI engines are responsible to collect Application layer meta-data and statistics and the Attack mitigation systems are responsible to block attacks at very high certainty.

The solution control plane consists of the SDN controller and DefenseFlow applications and is responsible for programming the network to: collect network statistics, intelligently mirror traffic to vDPI elements, Divert suspicious traffic to Attack mitigation systems and block malicious traffic at most appropriate network locations.

Summary

The DefenseFlow Adaptive Network, Application and APT Protection solution leverages the field proven Radware Attack Mitigation System mechanisms, in form of an SDN application, together with SDN to enable cost effective and scalable Attack Mitigation capabilities for organizations. The solution addresses a broad range of security threats from network DDoS through Application DDoS to APT offering organizations one of the most cost effective solutions to mitigate organizational risk.

DefenseFlow is a perfect example of how SDN changes existing network service architectures to employ a collaborative mechanism in which network and L4-7 systems interact and increase value to end user. This is done by changing the network role from hosting services - to being part of the service - in this case offering increased security protection. DefenseFlow is the only solution that addresses the dynamic nature (unknown type and scale) of Attacks and brings the dynamic capabilities of SDN to mitigate the associated risks. Furthermore, as opposed to other available solutions that offer new API's to program existing systems. DefenseFlow is a clear showcase of how SDN offers immediate value to organizations that run business critical networks.